b'                                                       OFFICE OF INSPECTOR GENERAL\n                                                                                   MEMORANDUM\n\n\n\n\nDATE:          November 29, 2001\n\nTO:            Chairman\n\nFROM:          Inspector General\n\nSUBJECT: Report on Government Information Security Reform Act Evaluation - Findings\n         and Recommendations\n\nThe Office of Inspector General (OIG) has completed an evaluation of the Commission\xe2\x80\x99s\nInformation Security program in accordance with the Government Information Security Reform\nAct (Security Act). The Security Act requires that Inspectors General, or the independent\nevaluators they choose, perform an annual evaluation of each agency\xe2\x80\x99s information security\nprogram and practices. We contracted with KPMG, LLP to perform the independent evaluation.\n\nOn September 5, 2001, we issued a report, entitled \xe2\x80\x9cFY 2001 Government Information Security\nReform Act Evaluation,\xe2\x80\x9d summarizing the results of our independent evaluation. As a result of\nthe independent evaluation, we have concluded that the Commission has a generally effective\ninformation security program with acceptable practices for managing and safeguarding the\nFederal Communications Commission\xe2\x80\x99s (FCC\xe2\x80\x99s) information technology assets. On September\n10, 2001, our report, comprised of an executive summary and an independent evaluation, was\nincluded in a package of information provided by the Commission to the Office of Management\nand Budget (OMB).\n\nHowever, during the independent evaluation, we identified areas for improvement in the FCC\xe2\x80\x99s\ninformation security management, operational and technical controls. The evaluation identified\nsixteen (16) findings. Three (3) of the findings were determined to be high-risk1 and thirteen\n(13) were determined to be medium risk. Findings occurred in the areas of management,\noperational and technical information security controls. In our opinion, implementation of our\n\n\n1      Each audit finding was evaluated to determine its degree of exposure based on the following risk ratings.\n       High: Security risk can cause a business disruption, if exploited. Medium: Security risk in conjunction\n       with other events can cause a business disruption, if exploited. Low: Security risk may cause operational\n       annoyances, if exploited.\n\x0crecommendations will strengthen the security of the Commission\xe2\x80\x99s information security\nprogram.\nWe are addressing these findings in the attached Special Review Report. I have attached a copy\nof our report, entitled \xe2\x80\x9cFY 2001 Government Information Security Reform Act Evaluation,\xe2\x80\x9d\n(Report No. 01-AUD-11-43) summarizing the findings that resulted from our evaluation of the\nCommission\xe2\x80\x99s information security program. This report is a byproduct of the independent\nevaluation required by the Security Act.\n\nOur recommendations will correct present problems and minimize the risk that future security\nproblems will occur in the FCC\xe2\x80\x99s information security program. All recommendations contained\nin the attached report will be tracked for reporting purposes by the OIG. Appendix A, Summary\nof Findings, provides a summary of the findings from this review. Appendix B, Detailed\nFindings and Recommendations, details the findings and recommendations from the review.\n\nIn its response, OMD indicated concurrence with each with each of the findings and\nrecommendations. OMD also attached a Program-Level Plan of Action and Milestones,\nprepared by the Information Technology Center that resolves each finding and recommendation\nand identifies corrective action that has been or will be taken. We have included a copy of the\nresponse from OMD in its entirety as Appendix C to this report.\n\nMMB also indicated concurrence with each with each of the findings and recommendations in its\nresponse. We have included a copy of the response from MMB in its entirety as Appendix D to\nthis report.\n\nDue to the sensitive nature of the information contained in the appendices, we have marked them\nall \xe2\x80\x9cNon-Public \xe2\x80\x93 For Internal Use Only\xe2\x80\x9d and have limited distribution. Those persons receiving\nthis report are requested not to photocopy or otherwise distribute this material.\n\n\n\n\n                                     H. Walker Feaster III\n\nAttachment\n\ncc:    Chief of Staff\n       Managing Director\n       Chief, Mass Media Bureau\n       Chief Information Officer\n       Computer Security Officer, ITC\n       AMD-PERM\n\x0c'